Google Cloud Platform Project Default Service Accounts

This page shows how to write Terraform for Cloud Platform Project Default Service Accounts and write them securely.

google_project_default_service_accounts (Terraform)

The Project Default Service Accounts in Cloud Platform can be configured in Terraform with the resource name google_project_default_service_accounts. The following sections describe 5 examples of how to use the resource and its parameters.

Example Usage from GitHub

github-iconSnidermanIndustries/checkov-fork
resource "google_project_default_service_accounts" "not_ok" {
  project = "my-project-id"
  action = "DELETE"
  id="1234"
}

github-iconmelscoop-test/check
resource "google_project_default_service_accounts" "not_ok" {
  project = "my-project-id"
  action = "DELETE"
  id="1234"
}

github-iconseankhliao/mono
resource "google_project_default_service_accounts" "default" {
  project = data.google_project.default.project_id
  action  = "DEPRIVILEGE"
}
github-iconbridgecrewio/checkov
resource "google_project_default_service_accounts" "not_ok" {
  project = "my-project-id"
  action = "DELETE"
  id="1234"
}

github-iconakkornel/gcs_gcp
resource "google_project_default_service_accounts" "globus" {
  project = var.project_id
  action = "DEPRIVILEGE"
}

# COMPUTE ENGINE COMMON CONFIGURATION

Parameters

  • action required - string
    • The action to be performed in the default service accounts. Valid values are: DEPRIVILEGE, DELETE, DISABLE. Note that DEPRIVILEGE action will ignore the REVERT configuration in the restore_policy.

  • id optionalcomputed - string
  • project required - string
    • The project ID where service accounts are created.

  • restore_policy optional - string
    • The action to be performed in the default service accounts on the resource destroy. Valid values are NONE, REVERT and REVERT_AND_IGNORE_FAILURE. It is applied for any action but in the DEPRIVILEGE.

  • service_accounts requiredcomputed - map / string
    • The Service Accounts changed by this resource. It is used for revert the action on the destroy.

Explanation in Terraform Registry

Allows management of Google Cloud Platform project default service accounts. When certain service APIs are enabled, Google Cloud Platform automatically creates service accounts to help get started, but this is not recommended for production environments as per Google's documentation. See the Organization documentation for more details.

WARNING Some Google Cloud products do not work if the default service accounts are deleted so it is better to DEPRIVILEGE as Google CAN NOT recover service accounts that have been deleted for more than 30 days. Also Google recommends using the constraints/iam.automaticIamGrantsForDefaultServiceAccounts constraint to disable automatic IAM Grants to default service accounts. This resource works on a best-effort basis, as no API formally describes the default service accounts and it is for users who are unable to use constraints. If the default service accounts change their name or additional service accounts are added, this resource will need to be updated.

Frequently asked questions

What is Google Cloud Platform Project Default Service Accounts?

Google Cloud Platform Project Default Service Accounts is a resource for Cloud Platform of Google Cloud Platform. Settings can be wrote in Terraform.

Where can I find the example code for the Google Cloud Platform Project Default Service Accounts?

For Terraform, the SnidermanIndustries/checkov-fork, melscoop-test/check and seankhliao/mono source code examples are useful. See the Terraform Example section for further details.

security-icon

Scan your IaC problem in 3 minutes for free

You can keep your IaC security for free. No credit card required.